29

I'm very confused.

I basically understand how DNS works. Here's an example that helps illustrate what I'm having trouble understanding.

Right now, I run a small web-server. I use my provider's DNS manager, so I don't have a DNS server hosted on the machine.

Let's say for a second, that I don't use my host's DNS, and I decide to set up a DNS server on my server. Hypothetical scenario: my server (entire) server goes down - DNS included. Why do I need backup DNS? If the server is down, who cares if the DNS server is down too, considering that even if I had DNS up (it wasn't on the crashed server), it wouldn't be able to forward requests anyway since the server would be down?

Is the point of having secondary DNS, to be able to change the IP addresses that your DNS server points to, so if your webserver was down, you could redirect traffic to a backup? How would you switch to the secondary provider, in the event that your main DNS provider becomes unavailable? Is a backup DNS system basically up all the time? How is it configured? Is it just an exact clone of the DNS server you would have on your server? Do they run simultaneously?

Hopefully someone can see what I'm hung up on, and provide some guidance.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Sam Levin
  • 500
  • 1
  • 4
  • 11

8 Answers8

26

The major point in having a secondary DNS server is as backup in the event the primary DNS server handling your domain goes down. In this case, your server would be still up, and so without having a backup, nobody could get to your server possibly costing you lots of lost customers (i.e. REAL MONEY).

A secondary DNS server is always up, and ready to serve. It can help balance the load on the network as there are now more than one authoritative place to get your information. Updates are generally performed automatically from the master DNS. Thus it is an exact clone of the master.

Generally a DNS server contains more information than just a single server, it might contain mail routing information, information for many many hosts, mail spam keys, etc. So resilancy and redundancy are of DEFINITE benefit to domain holders.

I hope this helps your understanding.

mdpc
  • 11,698
  • 28
  • 51
  • 65
  • Although generally with mail servers these days if an MX record doesn't resolve the message is put into a queue to try again instead of outright rejected - so if you're mail server and/or MX DNS record goes down you should be okay from a mail perspective... but still screwed in every other way! – William Nov 27 '16 at 05:01
13

Is the point of having secondary DNS

Only extremely small organizations can do everything on a single server. I have many servers, I want my email to be able to continue operating even though the web server is down. I have services hosted on external networks that I want to stay up even if my Internet link was down.

Is a backup DNS system basically up all the time?

Usually.

How is it configured?

It depends on the DNS server software, but usually on the 'backup server', you set up it up as a secondary. Then you tell in the IP of the master server, and the zones you want replicate.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
11

It is a must of the RFC. See http://www.ietf.org/rfc/rfc1035.txt

To cite the important things from page 4:

The DNS requires that all zones be redundantly supported by more than one name server. Designated secondary servers can acquire zones and check for updates from the primary server using the zone transfer protocol of the DNS.

mailq
  • 16,882
  • 2
  • 36
  • 66
10

The backup DNS servers (one or more) will be slaves to your primary DNS server. Changes to the primary DNS server will be picked up by the slaves. This may be done on a periodic basis, or in response from a notification from the primary server. This is one cause of delays in changes to DNS being recognized across the Internet. Your primary and backup nameservers will be listed as the nameservers for your domain.

Before DNS notify, slave nameservers would have a prior version of the DNS data for some period of time. (This is the one of purposes of the serial number.) Once all the nameservers have updated to the same version (same serial number) they should all have the same data. Editing a zone file without incrementing the serial number can cause inconsistent data.

There is no switching to the backup DNS server(s). DNS requests are distributed across all your nameservers relatively evenly. (This is done by querying servers using a round robin schedule.) If one or more name servers are down, requests will be retried on another nameserver after a timeout. As long as one of your nameservers is up your domain will resolve (slowly at times). You want to have all your nameservers always up.

In your case, you may find that it is simpler to use your ISP or domain registrar to host your domain. They will have one or more backup nameservers and will have resources dedicated to keeping them running.


If all you run is a web server a secondary DNS may not seem that important. However, when your server is down there are a number of reasons you may want a backup DNS server, including:

  • to enable you to ping or traceroute to your host to verify it is down.
  • to prevent users and crawlers from deciding your domain is no longer used.

If your domain gets or send email you need a backup DNS to establish your credibility and ensure future delivery of email. If a mail server looks up you domain and finds it doesn't exist, it will immediately bounce your email. However, if it DNS lookups succeed and the server is down, then the email will be queued for later delivery. Only if you are down for a few days will your email start bouncing. (Some poorly behaved automated delivery systems try only once and may fail to deliver messages even if your server is up.)

BillThor
  • 27,354
  • 3
  • 35
  • 69
1

You don't need to switch to the backup it's automagic. If a DNS request for a name within your domain gets as far as querying (remember DNS is heavily cahed) you servers then if your primary NS server doesn't respond, the secondary NS server will be queried.

If you host your DNS away from the server hosting the services you provide then having 2 is sensible. If one goes down then the other will pickup and your domain is still available.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • I've read quite a few comments that indicate that many real-world DNS caching services (like those used by ISP) *don't* re-try using a second name server, they just fail if the first server doesn't respond. For example, [this answer on serverfault](http://serverfault.com/a/130617/1950). In which case, if you have two separate nameservers you need to make sure *both* are up, because either one being down can lead to downtime for the hosted domains. This does go against common practice *and* the RFCs, but seems concerning. – thomasrutter Nov 30 '12 at 02:07
1

In addition to the above:

Besides the fact that a second DNS server is required by RFC it's also good to avoid negative caching by upstream resolvers. It's common practive to cache the fact that the request did not match any record (NXDOMAIN) / the dns server could not be found.

As some ISPs have uncommon caching policies it's better to have a second dns server that answers those requests even if the webserver is down. This way you can avoid effects of negative caching once the server is back up running.

Note: In general a neg-cache interval of max. 5 min is suggested (nevertheless some ISPs got really mad values)

justlovingIT
  • 475
  • 3
  • 11
1

You are right -- you don't need a third-party secondary in your situation, and it'll offer few improvements to you, provided that all your other services (including the mail) are still hosted on a single box in a single network.

Yes, both the primary and secondary are run next to each other; both are supposed to have the same information (but coherence of information is not guaranteed in practice); to an outsider's view, there's no difference between the primary and the secondary server, both are viewed the same, generally, only one is used for a given resolution. If one is down, the other one is tried. It'll be a bad idea to have one of the servers in Tokyo, if all of your customers are in New York, because it'll increase the latency of the average resolution (e.g., a bad thing), as the servers are pretty much randomly chosen.

The DNS spec does appear to require that at least two NS records are provided for a domain, so, you might run into some resolvers failing to resolve a name if you somehow manage to set up only a single NS record for your domain.

A good overview on the misconceptions of a secondary third-party DNS service is provided by DJB, the author of djbdns:

http://cr.yp.to/djbdns/third-party.html

Let's have a summary quote from the page:

The bottom line is that, for the vast majority of sites, third-party DNS service has serious costs and negligible benefits, just like third-party HTTP service and third-party SMTP service. The service companies' claims are wildly exaggerated, and should never be used as a substitute for common sense.

cnst
  • 12,948
  • 7
  • 51
  • 75
-6

in reality, in much of the world, the backup DNS server is never queried if the primary goes down. because its an extra step for the resolver. it doesnt want to do that work, and it wont.

so the backup us useless. if the primary goes down, the users dns query will return nothing (even if there is a completely fine DNS server available and listed in the name record and spare servers waiting). the user to get a server not found.

try it.

jesse
  • 1
  • 5
    I really don't know what you are talking about, you really don't seem to understand how DNS works. Your client machine should be pointed at a caching DNS server, not a server that is authoritative for a zone. Every common DNS server server I am aware of will attempt to access other name servers if the primary is not available with the default config. It may not fail over if one of the DNS servers is improperly configured. – Zoredache Nov 29 '12 at 21:23